Using OAuth 2.0 Token Introspection Library Functions
| To view an example policy project that uses Flex Gateway Policy Development Kit (PDK)'s Token Introspection feature, see OAuth 2.0 Token Introspection Policy Example. |
Use the Flex Gateway Policy Development Kit (PDK) Token Introspection library functions to validate incoming OAuth 2.0 tokens with an upstream introspection service.
Configure the Token Validator
To access OAuth 2.0 Token Introspection functionality, you must import the token_introspection module from the PDK crate and inject the TokenValidatorBuilder in the configure function.
use pdk::token_introspection::{IntrospectionResult, ParsedToken, ScopesValidator, TokenValidator, TokenValidatorBuilder};
#[entrypoint]
async fn configure(
launcher: Launcher,
Configuration(bytes): Configuration,
validator_builder: TokenValidatorBuilder,
) -> Result<()> {
// [...]
// Create a token validator
let mut validator_instance = validator_builder
.new("token-cache")
.with_path("/introspect")
.with_authorization_value("Basic YWRtaW46YWRtaW4=") // Choose either authorization value or client ID and secret depending on your service authorization. No authorization header is sent if with_authorization_value() isn't defined.
.with_client_id("client-id") // Client ID and secret are sent as form params in the body of the request
.with_client_secret("client-secret")
.with_expires_in_attribute("exp")
.with_max_token_ttl(600)
.with_timeout_ms(10000)
.with_max_cache_entries(10000)
.with_scopes_validator(ScopesValidator::all(scopes_vector))
.with_service(config.my_service)
.with_protected_resource_metadata(config.auth_server_url) // Choose .with_protected_resource_metadata_with_properties() if additional properties are required
.build();
// [...]
}The TokenValidatorBuilder provides these methods to configure the token validator. You must call with_service before build, all other methods are optional:
| Method | Parameter | Default | Description |
|---|---|---|---|
|
path ( |
|
Sets the introspection endpoint path. |
|
value ( |
|
Sets the authorization header value for introspection requests. |
|
value ( |
No default |
Sets the client ID credential to talk with the introspection service. |
|
value ( |
No default |
Sets the client secret credential to talk with the introspection service. |
|
attr ( |
|
Sets the attribute name for expiration time in the introspection response. |
|
ttl ( |
|
Sets the maximum token TTL in seconds; tokens with a longer TTL are treated as expired. Use |
|
timeout ( |
|
Sets the timeout for introspection requests in milliseconds. |
|
max_entries ( |
|
Sets the maximum number of entries in the token cache. |
|
validator ( |
No default |
Sets the scopes validator for token validation (for example, |
|
service ( |
No default (required) |
Sets the OAuth2 introspection service endpoint. Required to build the validator. |
|
authorization server url (impl Into<String>) |
No default |
Enables RFC 9728 protected resource discovery with the given authorization server URL. The well-known endpoint path and resource URL are derived automatically from the API base path extracted from PDK metadata when the policy is applied. |
|
authorization server url ( |
No default |
Enables RFC 9728 protected resource discovery with the given authorization server URL and additional metadata properties (such as |
| The configure function receives the configuration parameters defined in your policy schema. |
Validate a Token
Once configured, the validator provides the validate function, that expects a token string. The validate function sends a request to the introspection endpoint and returns the IntrospectionResult:
// extract token from header
let auth_header = handler.header("Authorization");
let token = auth_header.split_whitespace()[1];
let result = validator
.validate(&token)
.await
.map_err(PolicyError::Introspection)?;